CIS: Windows Server 2019

This document provides information about the hotfix containing Center for Internet Security (CIS) templates for Windows Server 2019 with implementation for 401 rules that can be installed on  TrueSight Server Automation 8.9.04.001 or later. This template is created based on the recommended settings defined by Microsoft Windows Server 2019 RTM (Release 1809) Security Configuration Benchmark Version 1.1.0, published on January 14, 2020.

Before you begin

Before you install this hotfix, ensure that all compliance content provided by BMC in your environment is at least updated to 8.9.04.001 or later version.

Step 1: Downloading and installing the files

  1. Login to the ftp.bmc.com host using the SFTP protocol. 

  2. Download the CIS - Windows Server 2019.zip package from the following location:
    You must log in or register to view this page

    Click here to expand checksum related infromation

    Verify the downloaded content by using the following check sums.

    File Name

    MD5SUM

    CIS - Windows Server 2019.zip

    13ba945a580eeb8ad0017acbdb236e12

  3. Copy the CIS - Windows Server 2019.zip package to your RCP client server.

Step 2: Importing the compliance content

  1. Log on to the console.
  2. Right-click Component Templates and select Import
    1.jpg

  3. In the Import Wizard window, select Import (Version-neutral).

    HIPPA_ImportVN.png
  4. Select the CIS - Windows Server 2019.zip package that you downloaded and click Next.

    ciswin2019_1.png

  5. To import the templates, select the CIS - Windows Server 2019.zip file and click Next.

    Note

    Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.

    ciswin2019_2.png

  6. Click Next to review the import contents and then click BackFinish.
    ciswin2019_3.png
    The templates are imported successfully.
    ciswin2019_4.png

Rules within the templates

The following are the details of the 401 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance and provides remediation - 378
  • Rules that check for compliance but do not provide remediation - 23

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts - 375
  • Rules divided into two parts (Rule ID 18.8.22.1.13, 18.8.25.1, 18.9.80.1.1, 18.9.102.1.1, 18.9.102.1.3) - (5 * 2) = 10
  • Rules divided into three parts (Rule ID 18.9.102.1.2) - (1 * 3) = 3
  • Rules divided into four parts (Rule ID : 18.5.9.1, 18.5.9.2) - (2 * 4) = 8
  • Rules divided into five parts (Rule ID : 18.5.20.1) - (1 * 5) = 5

So, the current rule count according to CIS Windows 2019 template after running the compliance job is 401 (375 + 10 + 3 + 8 + 5).

Note

Read the following points before you run the compliance checks or perform remediation: 

  • While running compliance jobs on domain controller targets, set the DOMAIN property of the target server to DC. 
  • Leave the DOMAIN property blank for member servers and standalone systemsEnsure that the value for the DOMAIN property is set to DC on all the domain controllers targets and on all non-domain systems (Member Servers). This property can either be BLANK or can be any string other than DC for member servers.
  • Ensure that you copy the required admx/adml files specified in the CIS benchmark to the policy definition location. Remediation occurs only when these files are available. For more details, see section 18 of the CIS benchmark. By default, the policy definitions are located at:
    MS : %systemroot%\PolicyDefinitions
    DC: %SYSTEMROOT%\SYSVOL\sysvol\!USERDNSDOMAIN!\Policies\PolicyDefinitions

Rule IDs without remediation and undo

Comments

1.2.1, 1.2.3

No remediation is provided as both GPO's Reset account lockout Counter after (Rule ID 1.2.3) and Account lockout duration (Rule ID 1.2.1) have dependency and it should be resolved manually in case of non compliant.

2.3.1.5 , 2.3.1.6

The remediation requires user input that must be provided by the organization.

18.2.1, 18.5.14.1

None

18.9.77.13.1.2

None

18.8.21.5

None

Section 19 Rules (19.1.3.1, 19.1.3.2, 19.1.3.3, 19.1.3.4, 19.5.1.1, 19.6.6.1.1, 19.7.4.1, 19.7.4.2 , 19.7.7.1, 19.7.7.2, 19.7.7.3,  19.7.7.4, 19.7.26.1, 19.7.41.1, 19.7.45.2.1)

None 


Property type

Rule where the property is used

Property name

Default values

Delimiter

LOCAL

1.1.4

MIN_PASSWD_LENGTH

14


LOCAL

2.2.21

DENY_ACCESS_FROM_NETWORK

BUILTIN\Guests


LOCAL

2.2.26

DENY_LOG_ON_THROUGH_THE_REMOTE_DESKTOP_SERVICES

BUILTIN\Guests

Comma (,)

LOCAL

2.3.7.4

CIS_LEGAL_NOTICE_TEXT

BLANK


LOCAL

2.3.7.5

INTERACTIVE_LOGON_MESSAGE_TITLE

BLANK


LOCAL

19.1.3.2

SCREEN_SAVER_EXECUTABLE

BLANK


LOCAL

2.3.1.5

RENAME_ADMINISTRATOR_ACCOUNT

BLANK


LOCAL

2.3.1.6

RENAME_GUEST_ACCOUNT

BLANK


LOCAL

2.3.11.3

ALLOW_PKU2U_AUTHENTICATION_REQUESTS

0


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*